When developing or using digital services, it’s common to use third-party technology tools however, this can leave organisations exposed to vulnerabilities—ones they did not create but may bear the consequences of.
The three most common cyber security risks associated with third-party products are:
1. Unpatched vulnerabilities: Many third-party products are not regularly updated with security patches, leaving them vulnerable to known exploits.
75% of attacks in 2020 used vulnerabilities that were at least two years old
2. Supply chain attacks: Attackers are increasingly targeting the supply chain, using compromised third-party products to infiltrate an organisation’s network. Notable examples include the MOVEit in June 23and Okta in Oct 23 breaches.
3. Inconsistent security updates: Delays or irregularities in delivering security updates and patches from the vendor can expose systems to new threats, making it one of the most prevalent risks.
A Guide to Security to Using Third-Party Products
How can organisations ensure that the tools they use, do not undermine their security posture?
The identification of the products and services being used is the first and most important step – but not as easy as it sounds. Most organisations have multiple IT systems and services that vary across departments, further complicated by potential use of ‘shadow IT’.
Knowing the first step of you supply chain is only the start – identifying who your suppliers are and who the suppliers are using can become very large and complex very quickly. Consider the most valuable information assets first, what 3rd party tools or services are used to process this data?
- Create a Product List
Once your service model is defined, list all proposed third-party products and their roles. Flag them for a security review to assess potential risks early in the process. - Check Existing Reviews
Verify if the products have been pre-approved or previously assessed within your organization. Ensure prior security due diligence aligns with your project’s needs and Secure by Design principles. - Conduct a Security Review
For unreviewed products, assess security against known risks and industry standards. Focus on relevant areas, such as data handling, security documentation, and vendor responsiveness to vulnerabilities. Balance security, cost, and functionality when selecting tools. - Compile a Risk Report
Document all assessments, including the function of each product, identified risks, and review criteria. Continuously update this report and share findings with key stakeholders and suppliers to inform decisions and drive security improvements.
By conducting proper security due diligence, organisations not only protect themselves but also help secure the broader supply chain. The ripple effect of mitigating risks with third-party products ensures safer digital environments for all users.
This approach fosters a proactive, secure-by-design mindset, where the security of technology products is considered at every stage—from procurement to deployment and beyond.
Image by freepik